Overview
- Drift Protocol froze its platform after an April 1 exploit that drained about $280 million.
- Attackers spent six months posing as a quantitative trading firm and built trust through repeated, in-person meetings at crypto conferences.
- The group bolstered credibility inside the project by onboarding an Ecosystem Vault that held more than $1 million in deposits.
- Forensic teams outlined two likely entry points that targeted developer devices, including a cloned repository that silently executed code in VSCode and Cursor editors and a malicious TestFlight wallet app.
- SEALS 911 attributes the breach with medium-high confidence to UNC4736, also known as AppleJeus or Citrine Sleet, which is linked to Radiant Capital’s 2024 hack, while Drift removed compromised multisig wallets, flagged attacker addresses, and enlisted Mandiant and law enforcement.